This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CPWE"
Deleted user (talk | contribs) m (→Common Program Weakness Enumeration) |
Deleted user (talk | contribs) m (→Introduction) |
||
| Line 3: | Line 3: | ||
= Introduction = | = Introduction = | ||
| − | This cheat sheet for CISO is intended for an executive audience. It contains a list / taxonomy of application security program weaknesses that intended to be built out over time, similar to the presentation and content of MITRE's CWE for software weaknesses. The list of weaknesses is called the OWASP Common Program Weakness Enumeration (CPWE) and spans both topics having to do with (1)institutionalization of | + | This cheat sheet for CISO is intended for an executive audience and for application security program assessors. It contains a list / taxonomy of application security program weaknesses that intended to be built out over time, similar to the presentation and content of MITRE's CWE for software weaknesses. The list of weaknesses is called the OWASP Common Program Weakness Enumeration (CPWE) and spans both topics having to do with (1)institutionalization of an application security program and also (2)systems development touch points. One example use case is an organization having a SAMM or BSIMM assessment done, but the findings are mapped to CPWE, in a similar fashion as one can generally configure assessment tools to map findings to CWE or Top Ten, so that one can compare apples to apples regardless of if SAMM or e.g. BSIMM or what have you are used. Long-term goals may include creating an OWASP CISO Top Ten project using the CPWE as inputs (i.e. that draws from the list), as a sort of brass ring for an OWASP CISO "guide". |
= Common Program Weakness Enumeration = | = Common Program Weakness Enumeration = | ||
Revision as of 20:54, 29 August 2012
Under construction.
Introduction
This cheat sheet for CISO is intended for an executive audience and for application security program assessors. It contains a list / taxonomy of application security program weaknesses that intended to be built out over time, similar to the presentation and content of MITRE's CWE for software weaknesses. The list of weaknesses is called the OWASP Common Program Weakness Enumeration (CPWE) and spans both topics having to do with (1)institutionalization of an application security program and also (2)systems development touch points. One example use case is an organization having a SAMM or BSIMM assessment done, but the findings are mapped to CPWE, in a similar fashion as one can generally configure assessment tools to map findings to CWE or Top Ten, so that one can compare apples to apples regardless of if SAMM or e.g. BSIMM or what have you are used. Long-term goals may include creating an OWASP CISO Top Ten project using the CPWE as inputs (i.e. that draws from the list), as a sort of brass ring for an OWASP CISO "guide".
Common Program Weakness Enumeration
The comprehensive CPWE dictionary is below. Its presentation and content build upon conventions used in the MITRE CWE project for consistency.
CPWE-xx: ...
Description
Description Summary
Extended Description
Time of Introduction
Modes of Introduction
Common Consequences
Potential Mitigations
Phase: ...
Phase: ...
References
CPWE-xx: ...
CPWE-xx: ...
Authors and Primary Editors
Mike Boberski - boberski_michael [at] bah.com
Other Cheatsheets
OWASP Cheat Sheets Project Homepage
